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SUMMARY OF THE INVENTION 



The present patent document discloses techniques for aggregating log data in a 
distributed system. Previous methods for storing log data have either relied upon 
5 maintaining individual logs for each individual process on the local system or a central 
log for distributed systems wherein each individual system is executed by the same type 
operating system. 

Disclosed in various embodiments are apparatus and methods for gathering event 
data by a process executed by an operating system on a computer system, transferring 
10 that data to a logging process executed by an operating system on another computer 
system wherein the logging process operating system is intrinsically different from the 
operating system of the process that detected the event, and storing that data in a data log 
on the logging process computer system. Provision is also made for gathering, 
transferring, and storing event data for processes running on the computer system on 
1 5 which the data log is located. A representative data structure for the entries in the data 
log is also disclosed. 

The disclosures of the present patent document provide two primary advantages 
over the prior art: (I) logging of log data across different platforms and (2) aggregation 
of log data into one location. This aggregation mechanism is designed to allow multiple 
20 elements operating on diverse kinds of systems to log to a central system, which itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as for example a distributed management tool, whose components 
may be distributed across a network and operating on multiple, geographically dispersed 
computers. 

25 Other aspects and advantages of the present invention will become apparent from 

the following detailed description, taken in conjunction with the accompanying drawings, 
illustrating by way of example the principles of the invention. 
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DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 



As shown in the drawings for purposes of illustration, the present patent 
document relates to a novel method for aggregating log data in a distributed system. 
Previous methods for storing log data for distributed systems have either relied upon 
maintaining individual logs for each individual process on its own local system or a 
central log wherein each individual system which accumulates log data is executed by 
a member of the same operating system family. Embodiments disclosed herein are not 
limited by such constraints. In particular, a process accumulating event data for storage 
in the central log may be running, not only on a remote computer, but also on an 
operating system which differs significantly from the operating system of the logging 
process. Other processes which accumulate such event data in the distributed system 
may be further executed by operating systems of even different families or types. In the 
following detailed description and in the several figures of the drawings, like elements 
are identified with like reference numerals. 

Figure 1 is a drawing of a distributed computer system 100 having a centralized 
data log 105 as described in various representative embodiments of the present patent 
document. In a first preferred embodiment as shown in figure 1 , the centralized data log 
105, also referred to herein as the data log 105, is stored in a computer memory 110, also 
referred to herein as a computer readable memory device 110, on a log computer system 
115. A log process 120, also referred to herein as a log program 120, executed by a log 
operating system 125 stores data in the data log 105. A first computer process 130, also 
referred to herein as a first computer program 130, is executed by a first operating system 
135 on a first computer system 140. The log operating system 125 may differ 
intrinsically in type from the first operating system 135. When the first computer process 
130 detects a first event 145 not shown in figure 1, the first computer process 130 
transmits description of the first event 145 as a first event description 150 to the log 
process 120 via a network 190. However, it is possible that means other than the network 
190 could be used to transmit the first event description 150 to the log process 120, as for 
example storing data on a magnetic disk and physically transferring the disk to the log 
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not shown in figure 2, the first computer process 130 transmits description of the first 
event 145 as the first event description 150 to the log process 120 via the network 190. 
However, it is possible that means other than the network 190, as for example storing 
data on a magnetic disk and physically transferring the data to the log computer system 
5 115, could be used to transmit the first event description 150 to the log process 120. The 
log process 120 stores the first event description 150 in the data log 105. In the second 
preferred embodiment, the log operating system 125 is intrinsically different from the 
first operating system 135. 

Also shown in figure 2 is an additional log system process 260 executed by the 
10 log operating system 125 on the log computer system 115. When the additional log 
process 260 detects an additional event 275 not shown in figure 2, the additional log 
system process 260 transmits description of the additional event 275 as an additional 
event description 280 to the log process 120. The log process 120 stores the additional 
event description 280 in the data log 105. In a representative embodiment, the additional 
1 5 log system process 260 transmits the additional event description 280 to the log process 
120 via the, network 190. In another representative embodiment, the additional log 
system process 265 transmits the additional event description 280 to the log process 120 
via paths internal to the log computer system 115. 

Figure 3 is a drawing of an entry for a data structure 300 for the centralized data 
20 log 105 as described in various representative embodiments of the present patent 
document. The entry for the data structure 300 comprises a system identification 310 and 
a component identification 315. The component identification 315 identifies the 
component which detected the event logged, and the system identification 310 identifies 
the system on which that component is located. The data structure 300 further comprises 
25 event time 320 which specifies the clock time at which the event occurred, and event data 
330 which provides information to the log user regarding the nature of the event detected 
and subsequently recorded in the data log 105. Other items could be included in the data 
structure 300, as for example operating system and computer system identification. Also, 
the event time 320 could include the date of the event, as well as the time of day at which 
30 the event occurred. Data structure 300 entries into the centralized data log 105 could be 
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of log data into one location. This aggregation mechanism is designed to allow multiple 
elements operating on diverse kinds of systems to log to a central system, which itself 
may be on any kind of system. An administrator can monitor the operation of a 
distributed system, as for example a distributed management tool, whose components 
may be distributed across a network and operating on multiple, geographically dispersed 
computers. 

While the present invention has been described in detail in relation to preferred 
embodiments thereof, the described embodiments have been presented by way of 
example and not by way of limitation. It will be understood by those skilled in the art 
that various changes may be made in the form and details of the described embodiments 
resulting in equivalent embodiments that remain within the scope of the appended claims. 
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««, <toraee medium readable by a computer, tangibly 
A computer program storage meai 

embodying a »f ' ^ 

con.pu.er to perform mChod steps t. s.oring event V» - 
cenhalized data log ,105, in a diluted computer system 1100,, the 
steps comprising: 

detecting a first event 1145] by a first computer process [130], 
wherein the first computer process 1130] is executable by a firs, 
operating system 1135]; 

"preparing a firs, event description [150], wherein the firs, event 
description 1150] describesthe firs, event [145]; 

fifing Ore first event description [150, <o a tog process 
mn, wherein ft. log process [120] is execute by a tog 
operating system [125], wherein the log operating system ^25] 
differs inhinsically in type from the first operating system [135]; 

living fire firs. even, description [150] by the log process 
[120]; and 



22 



storing the first event description [150] in the centralized data log 
[105]. 



2. The computer program storage medium as recited in claim 1, providing 
2 the first event description [150] is transmitted from the first computer 

process [130] to the log process [120] via a network [190]. 

3. The computer program storage medium as recited in claim 1, the steps 
2 further comprising: 

4 detecting a second event [175] by a second computer process [160], 

wherein the second computer process [160] is executable by a second 
6 operating system [165]; 

8 preparing a second event description [180], wherein the second event 



description [180] describes the second event [175]; 

10 

transmitting the second event description [180] to the log process [120]; 

12 

receiving the second event description [180] by the log process [120]; and 

14 

storing the second event description [180] in the centralized data log 



16 [105]. 

4. The computer program storage medium as recited in claim 3, providing 
2 the second event description [180] is transmitted from the second 

computer process [160] to the log process [120] via a network [190]. 

5. The computer program storage medium as recited in claim 3, providing 
2 the second operating system [165] differs intrinsically in type from the 



first operating system [1351. 



The computer program storage medium as recited in claim 3, providing 
the second operating system 11651 differs intrinsically in type from fee 
log operating system [125]. 

Acomputerreadabie memory devicelllO] encoded witi, a date structure 
1300] for transferring data between a first computer process 1130) and a 
,og process 11201, the first computer process 1130) having functions for 
transferring an event description 1150, to the log process 1120,, the 

lotions having associated parameters, the data structure [300] havmg 

entries, each entry containing: 

event date [3301, wherein the event data [330, describes a detected even. 
11451; 



acomponent identification 1315), wherein tire component identificanon 
, 31 5, identifies a component detecting the event 1145, and wherein tire 
event [145, is described by the event description 11501, and 

a system identification [3101, wherein the system identification 1310) 
identifies a system, wherein "the system comprises the component 
detecting the event [145]. 

The computer readable memory device 1110] as recited in claim 7, 
providing the data structure [300, further contains an event tome [320], 
whereintheeventtime [320, is the clock time of event [145, occurrence. 

A distributed computer system [100, for storing data, comprising: 
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<~ nrocess 11301 executable by a first operating system 
a first computer process i^ui 

1135); 

a log process |Uf) executable by a log operating system 1125], wherein 
system [135]; and 

d, firs, computer process ,130, comprises functions for — 

rsO^^f^co^P^sUSOJandfor^nng^ftsteven, 
description 11501 in the data log [1051. 

^di^dcontpu^sy.temUOO, a, recited in claim 9, wherein the 
[13 01 to the log process (120) via a network (1901. 
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